fix(jwt): store raw JWT token in cookies without Bearer prefix (#4552)

* fix(jwt): store raw JWT token in cookies without Bearer prefix

* fix(jwt): update OAuth2PasswordBearerAuth as well

* fix(jwt): restore backwards compatibility

* test(jwt): add assertion for correct cookie format

* fix(jwt): parse correct and legacy token formats

* docs: restore pydoc string

Author: disrupted

litestar/security/jwt/auth.py

@@ -546,7 +546,7 @@ def login(
             key=self.key,
             path=self.path,
             httponly=True,
-            value=self.format_auth_header(encoded_token),
+            value=encoded_token,
             max_age=int((token_expiration or self.default_token_expiration).total_seconds()),
             secure=self.secure,
             samesite=self.samesite,
@@ -799,7 +799,7 @@ def login(
             key=self.key,
             path=self.path,
             httponly=True,
-            value=self.format_auth_header(encoded_token),
+            value=encoded_token,
             max_age=expires_in,
             secure=self.secure,
             samesite=self.samesite,

litestar/security/jwt/middleware.py

@@ -262,8 +262,10 @@ async def authenticate_request(self, connection: ASGIConnection[Any, Any, Any, A
         Returns:
             AuthenticationResult
         """
-        auth_header = connection.headers.get(self.auth_header) or connection.cookies.get(self.auth_cookie_key)
-        if not auth_header:
+        encoded_token = (
+            connection.headers.get(self.auth_header, "").partition(" ")[-1]
+            or connection.cookies.get(self.auth_cookie_key, "").split(" ")[-1]
+        )
+        if not encoded_token:
             raise NotAuthorizedException("No JWT token found in request header or cookies")
-        encoded_token = auth_header.partition(" ")[-1]
         return await self.authenticate_token(encoded_token=encoded_token, connection=connection)

tests/unit/test_security/test_jwt/test_auth.py

@@ -357,6 +357,12 @@ def logout_handler(request: Request["User", Token, Any]) -> dict[str, str]:
         client.cookies = {auth_cookie: jwt_auth.format_auth_header(encoded_token)}
         response = client.get("/my-endpoint")
         assert response.status_code == HTTP_200_OK
+
+        client.cookies.clear()
+        client.cookies = {auth_cookie: encoded_token}
+        response = client.get("/my-endpoint")
+        assert response.status_code == HTTP_200_OK
+
         response = client.get("/logout")
         if decoded_token.jti:
             assert response.json()["message"] == "logged out successfully"